Page Builder plugin vulnerabilities affects over 1 million WordPress sites

Page Builder, a WordPress plugin developed by SiteOrigin, is affected by some security vulnerabilities that, according to experts in a cyber security course, expose affected websites to code execution attack.

This plugin was developed by Greg Priday and is used for creating mobile content with easy-to-use drag and drop tools. The developers claim that this software is active on more than a million websites.

The vulnerabilities were reported by the team of experts from a Wordfence Threat Intelligence cyber security course a week ago. The report consists of two flaws detected in the plugin, which would allow a threat actor to launch fraudulent requests on behalf of a website administrator to execute malicious code in the browser. Exploitation requires the victim to click on a malicious link to start the attack.  

Reported vulnerabilities have not yet received an identification key from the Common Vulnerability Scoring System (CVSS), although researchers anticipate that they will be considered critical flaws. The first of these errors is a cross-site request forgery vulnerability (CSRF), while the second error is a cross-site scripting vulnerability (XSS).

The live editor is used to create and update content in posts, as well as drag and drop widgets. Changes made to content are sent using the POST parameter and checks are made to metadata functions to ensure that users have the required permissions to edit publications.

Because of this, some widgets that include custom HTML could be abused for malicious JavaScript injection on an active rendered page, mentioned by experts from a cyber security course. If an administrator accesses a live preview page that contains this compromised widget, both vulnerabilities could be exploited.

Experts also found an additional cross-site request forgery flaw in the plugin’s action_builder_content function, connected to the AJAX wp_ajax_so_panels_builder_content action.

This feature is used to stream content sent from the live editor to the standard WordPress director to update or publish content. Although permission checks are set to ensure that users have the required permissions to post_id, there is no request source validation, leading to the CSFR flaw.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.